At the 24th ACM Conference on Computer and Communications Security (CCS 2017) in early November, University of California San Diego professor Hovav Shacham was recognized for a paper he presented 10 years earlier that introduced the field of “return-oriented programming.”
The CCS Test-of-Time Award this year went to Shacham’s CCS 2007 paper for its lasting impact on security research and practice during the past decade. The CCS awards committee chose just one paper out of the 55 that appeared at CCS 2007, and Shacham was the sole author on that paper. Accordingly, the Computer Science professor is the only recipient of this year’s award.
Applications running on a computer keep track of what task they are performing and what tasks they are to perform next in a region of memory called the stack. Programming errors in these applications often allow the stack to be overwritten, confusing the application and causing it to misbehave or crash. Worse, an attacker who carefully crafts malicious input can confuse the application into running code he injects. Fixing all bugs in all applications is a hopeless task, so systems designers have devised defenses that rule out such code-injection attacks, by distinguishing “good” application code from attacker-introduced code. Since attackers must inject new code to achieve their ends, the thinking goes, ruling out the introduction of new code rules out attacks.”
Security researchers working in industry had developed techniques that allowed them to exploit buggy programs and cause them to undertake certain “bad” behavior even in the presence of defenses against code injection. Shacham’s paper* unified and generalized these exploit techniques under the rubric of what he jokingly called “return-oriented programming.” A return-oriented attack doesn’t introduce any new code. Instead, it makes use of short snippets of the original, “good” program’s code. The attacker combines these snippets in clever ways that allow him to synthesize any behavior he desires from them. “An analogy to return-oriented programming is a kidnapper who puts together a ransom note with letters cut from magazine headlines,” said Shacham. “With all 26 letters gathered (and a photocopier), he can compose any message he wishes.”
Using return-oriented programming, the attacker puts together a set of building blocks from which he can synthesize any desired behavior. (Such a set is said to be “Turing-complete.”)
Shacham’s techniques (and his jokey name for them) have stuck, both in academia and in industry. Shacham’s paper has been cited more than 900 times. Where his original work considered only Intel’s x86 family of processors, researchers have since extended Return-Oriented Programming (ROP) to other popular processors, including the ARM processors that power nearly all smartphones. A 2014 Microsoft report (see Microsoft Security Intelligence Report, Volume 16) found return-oriented techniques used in more than 90% of exploits targeting Microsoft products. Microsoft, Intel, and ARM have all announced new security mechanisms in their products specifically to mitigate the threat of return-oriented programming.
“The Test-of-Time Award is the most significant honor we bestow on a paper because it is not simply a reflection that a piece of research was strong and well-received, but that a decade later it has had significant impact on the field,” said CSE professor Stefan Savage, who directs the Center for Networked Systems (CNS), in which Shacham in a member. “Hovav’s work on Return-Oriented Programming is an exemplar for such awards, because with one paper he made us all revisit our assumptions about what makes systems secure and the questions he posed in that work are still vibrant today. Moreover, this impact has not only been in academia, but Hovav’s ideas have
become a deep part of how real-world offense and defense is waged in computer security as well.”
The 2017 conference took place in Dallas, TX, from October 30 to November 3. Shacham accepted the Test-of-Time Award during the conference’s banquet and awards ceremony on November 1. CCS is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM).
Shacham did much of his research on the award-winning paper while a postdoctoral researcher at Israel’s Weizmann Institute of Science in 2006 and 2007, but he completed and presented the paper at CCS after joining the UC San Diego faculty in fall 2007.
That same year, he also participated in California’s “Top-to-Bottom” security review of the voting machines certified for use by the state’s then-Secretary of State, Debra Bowen. Shacham was part of the team reviewing Hart InterCivic source code, and the report he co-authored was cited by Bowen in her ultimate decision to withdraw approval for use of the Hart voting machines in California elections.
Shacham earned his Ph.D. in computer science in 2005 from Stanford University. His doctoral dissertation was runner-up for the Computer Science Department’s Arthur L. Samuel Thesis Award.
As an advisor, Shacham’s two most-recent Ph.D. graduates went to work at Google (Wilson Lian) in 2016 and Apple (Keaton Mowery) in 2015. In 2012, his student Stephen Checkoway joined Johns Hopkins University as a research professor, and more recently joined the faculty at the University of Illinois at Chicago.
*Shacham, Hovav, “The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86).” In Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552-561. ACM, 2007 DOI: 10.1145/1315245.1315313